Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Dirty Cow Vulnerability Patched in Android Security Bulletin

Today’s Android Security Bulletin included a patch for the Dirty Cow vulnerability, a seven-year-old Linux bug that had yet to be patched by Google.

The Dirty Cow vulnerability lived in Linux for close to a decade, and while it was patched in October in the kernel and in Linux distributions, Android users had to wait for more than a month for their fix.

Today, Google included a patch for CVE-2016-5195 in the monthly Android Security Bulletin, the final one for 2016. The Dirty Cow patch is one of 11 critical vulnerabilities, all of which are in the Dec. 5 patch level; a separate Dec. 1 patch level was also released today that included patches for 10 high-severity vulnerabilities.

Dirty Cow was patched in October after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.

The flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory. Researcher Phil Oester disclosed the vulnerability and a proof-of-concept exploit.

“This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,” Oester said.

Copy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it’s marked dirty.

Google also patched a separate kernel memory subsystem bug rated critical. CVE-2016-4794 affects only the new Pixel, Pixel C and Pixel XL devices, and can also allow an attacker to elevate to root privileges.

Six other critical bugs were addressed in the NVIDIA GPU and video drivers; the GPU bugs affect only Nexus 9 devices, while one of the video driver flaws also affects the Pixel C. The patches, Google said, are not publicly available and instead are contained in the latest binary drivers for Google devices.

Two other critical bugs in the kernel, kernel ION driver were also patched today, all of which allow an attacker to elevate their privileges.

Google also patched additional vulnerabilities in Qualcomm components, which have been a sticking point this year in multiple updates and public attacks, most notably Quadrooter, which was patched in September. Quadrooter was disclosed this summer at DEF CON and put hundreds of millions of devices at risk, similar to Stagefright. Researchers at Check Point Software Technologies disclosed the privilege escalation vulnerabilities, which could be used in remote code execution attacks. Multiple subsystems of the Qualcomm chipset were affected and the vulnerabilities could have been exploited to bypass existing mitigations in the Android Linux kernel, allowing an attacker to gain root privileges, Check Point said.

Google said that today’s patch addresses flaws that could also lead to code execution.

“An elevation of privilege vulnerability in the Qualcomm MSM interface could enable a local malicious application to execute arbitrary code within the context of the kernel,” Google said.

The Dec. 5 patch level also includes patches for vulnerabilities rated high severity in the kernel, kernel file system, HTC sound code, MediaTek drivers, Qualcomm codecs and drivers, and NVIDIA drivers among others. Most of the flaws are elevation of privilege issues.

The Dec. 1 patch level includes a patch for a remote code execution vulnerability in CURL/LIBCURL.

“The most severe issue could enable a man-in-the-middle attacker using a forged certificate to execute arbitrary code within the context of a privileged process,” Google said. “This issue is rated as High due to the attacker needing a forged certificate.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.